Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Virus hits iPod

It was only a matter of time before someone developed a proof-of-concept virus aimed at the iPod. It was discovered by Kaspersky Lab and it is a file which can be launched and run on an iPod.

The good news for the users is that it can only function on devices where Linux is installed. It is totally platform dependent; iPods running Linux are a decidedly smaller subset. If the virus called Podloso should manage to key onto such an iPod, it would install itself in the folder that contains the program demo versions.

Once the virus is launched, it scans the device’s hard disk and infects all executable .elf format files. A message, “You are infected with Oslo the first iPodLinux Virus” pops up when a user tries to access such infected files.

According to Kaspersky, it is a typical proof-of-concept virus which is created in order to show that it is possible to infect a specific platform. Like most of the ballyhooed mobile phone viruses, Podloso is unable to spread.

Even if the threat associated with it is lower, its emergence is disconcerting to Apple users who have watched the company’s reputation for impeccable security become sullied over the past 18 months or so.

In 2006, iChat and Safari were both targeted by worm attacks.After these, iPods were the next target for hackers. Last year, a small number of video iPods produced after Sept. 12, 2006, were reported to be harboring the RavMonE virus.

It didn’t harm the iPod, but it could have affected Windows PCs when the device was plugged in. Though Apple issued a formal apology for the glitch, it also pointed a finger at Microsoft.

These threats in the form of software programs or hacking tools either target the USB port or the PC as a vector for malware and leave a company vulnerable to Sarbanes-Oxley violations or the mishandling of consumer data.

Developers Warned

Fortify software has come forward to warn Web site developers that most frameworks for deploying interactive functionality use JavaScript in a way that could lead to their applications leaking user data.

Fortify stated in a recently released report that the problem, dubbed JavaScript hijacking by the firm, occurs because popular asynchronous JavaScript and XML (AJAX) toolkits use the scripting language as a transport mechanism without due consideration being given to security. The basic threat is that malicious Web sites could use cross-site request forgery (XSRF) to steal data from other AJAX-enabled Web applications.

According to Brian Chess, chief scientist for Fortify Software currently the problem does not affect a large number of sites but AJAX use is on the rise. This opens up a new world out there to developers with a brand new security consideration and the task of finding solutions to fix it.

Over the last two years, JavaScript technology has increasingly been mined by security researchers for new ways to attack visitors to Web sites. In 2005, the Samy worm used AJAX to spread among MySpace users’ accounts, making “samy” a friend of the user. Last year, researchers warned that Web worms will increasingly become a problem as interactive technology such as Web 2.0 continues to be adopted. The dangers were highlighted in the last few months as attackers have increasingly used Web site compromises to seed otherwise legitimate sites with JavaScript that redirects visitors to malicious sites.

Chess said that JavaScript hijacking is a totally new threat. This is a case where even educated developers didn’t know it was a big deal because even the security community didn’t know it was there.

The current trend in applications for communicating data through JavaScript structures is being used for JavaScript hijacking.

Web applications that use JavaScript Object Notation (JSON), for example, pass data using valid JavaScript statements. The attack would allow a malicious Web site to send requests for data to a target Web site through the user. Because of the vulnerability, the same origin policy which normally restricts JavaScript to acting on a page from the same domain as the script can be defeated.

According to Fortify’s paper, Web applications that bring together data from one or more outside sources and include a callback function are easy to hijack. Other applications built on frameworks such as Microsoft’s ASP.NET Atlas, XAJAX and Google’s Web Toolkit are also vulnerable to hijacking. A number of purely client-side libraries such as Prototype and Script.aculo.us, and Dojo also include the vulnerabilities.

Only developers can fix such problems no one else can do that. A related issue affected online movie rental service Netflix last year.

Fortify suggested two fixes for the issue. Any defense that prevents cross-site request forgery (XSRF) attacks would also defeat JavaScript hijacking, the firm said. The best way to implement the defense would be to include a hard-to-discover token with every request, so that URLs are not easily guessable. Another way to fix the issue would be to have the client and server include extraneous code in the JavaScript request that have to first be removed, otherwise execution would be halted.

Fortify discussed the issue with the developers of the major AJAX frameworks and they all plan to fix the issue in the next release of their software. This issue was publicised in order to bring the security problem to the attention of the general developer community, since many are using homegrown frameworks.

Celeb spam

Security companies from all over the world recently reported a highly critical vulnerability in Microsoft Windows that can allow an attacker to control an affected system.

According to the reports, there was a security flaw in the way Windows handles ANI files which allows the attackers to connect to an affected system and take control over it. At that time, the hackers tried to find new victims through e-mail spam by sending numerous messages from a fake Microsoft e-mail address. Sophos describes another technique used by the attackers that are now trying to lure victims by sending them Britney Spears and Paris Hilton related spam.

The initial campaign began with just a link to a Russian Web site which contained a script that pointed at a zero-day exploit of Microsoft’s animated cursor (ANI) vulnerability. Since the initial campaign, the hackers’ attack has evolved. In the last few days spam messages with subject lines such as “Hot pictures of Britney Spears” have contained an embedded image of the scantily clad pop star which links to a number of Web sites which have been had the animated cursor exploit planted on them by hackers.

According to the security company, the users are encouraged to click on a malicious link by an e-mail message containing Britney Spears pictures. Although the developer of Windows, the software giant Microsoft, already published a patch to fix the vulnerability, the hackers are continuously working on new techniques to exploit the flaw. So, no matter if the e-mail message has Britney Spears, Paris Hilton or any other celebrity pictures, avoid clicking on them because you might get your computer infected.